It's time: Patch Network Time Protocol before it loses track of time
Synchronise your watches before someone exploits DDOS bug, or nine other nasties
The maintainers of the Network Time Protocol daemon (ntpd) have pushed out a patch for ten security vulnerabilities.
Leading the fixfest is a trap-crash turned up by Cisco's Matthew Van Gundy.
If ntpd is configured with the
trap service enabled, a malformed packet causes a null pointer dereference and crash it.
CERT's full list of the vulnerabilities and fixes is here.
The NTP daemon is ubiquitous, and while it gets the most attention when attackers use it for DDoS attacks (such as in late 2013 when it was deployed against Battle.net, League of Legends and Steam), pretty much any 'net-facing server is running it, and is therefore potentially vulnerable to the latest brace of bugs. ®